Ultra-low cost sandboxing for application appliances

ABSTRACT

The disclosed architecture facilitates the sandboxing of applications by taking core operating system components that normally run in the operating system kernel or otherwise outside the application process and on which a sandboxed application depends on to run, and converting these core operating components to run within the application process. The architecture takes the abstractions already provided by the host operating system and converts these abstractions for use by the sandbox environment. More specifically, new operating system APIs (application program interfaces) are created that include only the basic computation services, thus, separating the basic services from rich application APIs. The code providing the rich application APIs is copied out of the operating system and into the application environment—the application process.

BACKGROUND

Sandboxing is a security technique for isolating the execution ofuntested code and untrusted applications. The best prior sandboxingsolutions used virtual machines to isolate one application from the restof the applications on a system. With the application isolated in avirtual machine, the isolated application cannot compromise the state ofthe system or other applications. The isolated application can also bemigrated from one computer to another computer by carrying the entirevirtual machine container (both memory and storage). Finally, vendorscan create application appliances by bundling an application and therequired operating system components into a virtual machine that isdistributed to customers.

Users seldom use isolated virtual machines for security in practicebecause the machines are too expensive in terms of computer resourcesbecause the virtual machines emulate low-level hardware interfaces, thusforcing the isolation container to contain a complete operating system.Furthermore, in common use, only the largest applications (such asserver applications) are distributed in virtual machines, again, becausethe storage resource overheads of including a complete separate copy ofthe operating system are too high to justify for all but the largestapplications.

Additionally, memory overhead for virtual machines is high because eachvirtual machine runs a complete (or nearly complete) operating system toabstract virtual hardware (within the virtual machine) to provide thetype of environment expect by an application. For example, a standardapplication expects to run on the abstraction of virtual memory.However, a virtual machine typically provides an abstraction of physicalmemory with page tables, the mechanisms used by an operating system tocreate virtual memory. Likewise, an application expects to access a filesystem, whereas a virtual machine only provides the abstraction of diskblocks. Finally, where an application expects the abstraction of threadsof execution, a virtual machine provides instead the hardwareabstractions of processors, timers, and interrupts, out of which anoperating system creates the abstraction of threads.

SUMMARY

The following presents a simplified summary in order to provide a basicunderstanding of some novel embodiments described herein. This summaryis not an extensive overview, and it is not intended to identifykey/critical elements or to delineate the scope thereof. Its solepurpose is to present some concepts in a simplified form as a prelude tothe more detailed description that is presented later.

The disclosed architecture facilitates the sandboxing of applications bytaking core operating system components that normally run outside theapplication process, and on which the application process depends on torun, and converting these core operating components to run within theapplication process. To reduce overheads, the architecture takes basiccomputing services already provided by the host operating system, suchas virtual memory and threads, and safely isolates these abstractionsfor use by the sandbox environment.

More specifically, new operating system APIs (application programinterfaces) are created that include only basic computation services,thus, separating the basic computation services from rich applicationAPIs. The code providing the rich application APIs is moved out of theoperating system and into the application isolation environment—theapplication process (or can be run external to the application process).

For example, in a Windows™ implementation, the entire Win32 subsystemand the relevant portions of the system registry are copied into theapplication sandbox so that the sandboxed application runs its own copyof the Win32 subsystem. Since the Win32 subsystem now provides servicesto only a single application, the Win32 subsystem need not be protectedwith security checks or other mechanisms, such as placing the Win32subsystem in its own operating system process, from the application.Rather, the Win32 subsystem can be run in the same process as theapplication, further reducing the overheads of providing an isolatedenvironment.

To accomplish this, a remote user I/O server is included in theapplication process as well. The operating system components, whichwould normally rely on device drivers to communicate to hardware such asdisplay, keyboard, and mouse, instead use a remote user I/O server, tocommunicate with remote user I/O devices thereby creating an applicationappliance. By including all of the external operating system componentswith the application the standard system call interface can be disabledat the bottom of a process with an ultra-small operating systeminterface that provides only local compute capability.

To the accomplishment of the foregoing and related ends, certainillustrative aspects are described herein in connection with thefollowing description and the annexed drawings. These aspects areindicative of the various ways in which the principles disclosed hereincan be practiced and all aspects and equivalents thereof are intended tobe within the scope of the claimed subject matter. Other advantages andnovel features will become apparent from the following detaileddescription when considered in conjunction with the drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates a secure application execution system in accordancewith the disclosed architecture.

FIG. 2 illustrates a secure application execution system that utilizesan isolation monitor for communications between the isolated applicationand the operating system.

FIG. 3 illustrates future proofing in which an isolated application runson either a first operating system or a second operating system.

FIG. 4 illustrates future proofing in which a first isolated applicationwritten to run on a first operating system and a second isolatedapplication written to run on a second operating system both run on thesame operating system.

FIG. 5 illustrates a method of creating a secure application executionsystem in accordance with the disclosed architecture.

FIG. 6 illustrates further aspects of the method of FIG. 5.

FIG. 7 illustrates a method of factoring operating system code intocomponents to be used in an application appliance environment.

FIG. 8 illustrates a block diagram of a computing system that executesapplication sandboxing in accordance with the disclosed architecture.

DETAILED DESCRIPTION

Operating systems (OSs) mix basic primitives of computation, such asthreads, virtual memory, and file access, with rich APIs (applicationprogram interfaces) such as application configuration management, GUI(graphical user interface) services (e.g., the display of windows anddirection of keyboard and mouse input to specific windows), and userinterfaces components. It is the rich APIs that are desired to beisolated to provide a sandboxed application environment. The disclosedarchitecture takes the abstractions provided by the host operatingsystem and converts (refactors) these abstractions for use in and by thesandbox environment. Basic APIs are refactored to expose only isolatedcomputation abstractions to code in the sandbox environment. Rich APIsare refactored to run as user-space libraries isolated within thesandbox environment.

As applied to Microsoft Windows™ OSs, the disclosed architecturerefactors a Windows OS and moves much of the functionality required byreal applications out of the OS kernel and into user-space libraries.This includes, for example, the complete set of Windows GUI services andthe registry—complex components with wide interfaces that traditionalWindows implements as shared kernel services. This dramatically reducesthe size of the architecture's system-call interface. Behind this narrowinterface is a simple and robust TCB (trusted computing base)implementation.

Running applications according to the architecture provides at least thefollowing benefits: isolation—by moving most of OS functionality out ofthe TCB, processes are much more robustly isolated than in the OS;migration—removing process' reliance on shared kernel state also allowsprocess images to be easily moved from machine to machine; and, futureproofing—each application can incorporate whatever version of the OSlibraries it was written against. As the OS evolves, newer applicationscan be written against new features and use newer libraries on the samemachine. This also supports legacy applications.

This isolation of program state enables the user to start a program andthen move the program's running memory image from one device to another,such as from a desktop computer to a laptop computer, from a laptopcomputer to a mobile phone, from a mobile phone to a server in thecloud, etc. The significant reduction in resources and overhead providedby the disclosed architecture now makes it possible to sandbox everyapplication.

When applied specifically to a Windows™ operating system environment,the rich operating system components on which the sandboxed applicationdepends are converted to run within the application process. For theWindows implementation, a remote user I/O service is implemented usingthe remote desktop protocol (RDP) running within the application processas well. The operating system components, which normally rely on devicedrivers to communicate to hardware such as display, keyboard, and mouse,instead use the RDP server code, thus creating an application appliance.By including all of the external operating system components with theapplication the standard system call interface can be disabled at thebottom of a process with an ultra-small OS interface that provides onlyisolated basic compute capability.

Reference is now made to the drawings, wherein like reference numeralsare used to refer to like elements throughout. In the followingdescription, for purposes of explanation, numerous specific details areset forth in order to provide a thorough understanding thereof. It maybe evident, however, that the novel embodiments can be practiced withoutthese specific details. In other instances, well known structures anddevices are shown in block diagram form in order to facilitate adescription thereof. The intention is to cover all modifications,equivalents, and alternatives falling within the spirit and scope of theclaimed subject matter.

FIG. 1 illustrates a secure application execution system 100 inaccordance with the disclosed architecture. The system 100 includes anisolation container 102 in which an isolated application 104 (denotedIsolated App) runs in isolation from a non-isolated application 106(denoted NON-ISO App). The isolated application 104 and non-isolatedapplication 106 both run in association with a single operating system(OS) 108. Isolated OS subsystems 110 (denoted Isolated OS subsystems) ofthe isolation container 102 provide services to the isolated application104, and non-isolated OS subsystems 112 (denoted NON-ISO OS subsystems)of the OS 108 provide services to the non-isolated application 106. Theisolated OS subsystems 110 and non-isolated OS subsystems 112 provideequivalent services to the corresponding isolated application 104 andnon-isolated application 106.

The OS 108 includes hardware abstractions 114 available for both theisolated and non-isolated applications (104 and 106). Additionally, theOS 108 includes an isolation monitor 116 that provides the interface forservices from the OS 108 to the isolation container 102. The separationof state related to the isolated application 104 from the state relatedto the non-isolated application 106 is represented by the black bar thatextends between the isolated application 104 and the non-isolatedapplication 106, and down into the OS 108 between the isolation monitor116 and the non-isolated OS subsystem 112. The system 100 can alsoinclude in the isolation container 102 isolated application libraries118 (denoted Isolated APP Libraries) for the isolated application 104,and non-isolated application libraries 120 (denoted NON-ISO APPLibraries) for the non-isolated application 106. The libraries (118 and120) expose the services of the OS subsystems (110 and 112) to therespective applications (102 and 104).

The isolation container 102 may also contain a remote user I/O server122 which increases the similarity between the isolated OS subsystems110 and the non-isolated OS subsystems 112 by providing emulations ofcertain hardware components, such as video displays, keyboards, andmice.

Note that as illustrated, the isolated OS subsystem 110 and remote userI/O server 122 are external to the isolated application 104; however, itis to be understood that, alternatively, the isolated OS subsystem 110and remote user I/O server 122 can be part of the isolated application104.

Note that as illustrated, the isolation monitor 116 is a distinct,separate component from the other portions of the OS 108; however, it isto be understood that, alternatively, the isolation monitor 116functionality can be implemented by modifying the other portions of theOS 108 to enable running of the isolating functions of the isolationmonitor 116 for the isolated application 104 in addition to runningnon-isolated functions for the non-isolated application 106.

The equivalent services may include application configuration managementservices, GUI services, printer services, and/or audio services, forexample. The equivalent services are exposed to the isolated application104 and non-isolated application 106 accessed either directly or throughuser-space libraries (118 and 120). The libraries (118 and 120) arecompatible with different versioned isolated and non-isolatedapplications (104 and 106). The operating system 108 further includeshardware abstraction components 114 available for both the isolated andnon-isolated applications (104 and 106). The operating system 108includes the isolation monitor 116 which employs a collection of rulesthat map the approval or denial of requests to access resources to anapplication manifest.

The isolated application 104 and the non-isolated application 106 usebasic computation services provided by the OS. The basic computationservices include one or more of virtual memory management, threadcreation, and thread synchronization.

The manifest defines which resources are optionally available and whichresources are available and required for correct execution of theapplication. The code within the isolation container 102—including theisolated application 104, the isolated application libraries 118, theisolated OS subsystems 110, and the remote user I/O server122—interfaces to the kernel of the operating system 108 through theisolation monitor 116. The contents of the isolation container 102 maybe migrated to a different computing environment by reproducing theaddress space on the different computing environment and then recreatingthe threads and other resource handles on the different computingenvironment using descriptions of those threads and resource handlessaved in the address space of the isolation container 102. In otherwords, the isolated application can be migrated to a second computingenvironment by copying the address space of the isolation container orby reading the address space of the isolation container, which isolationcontainer is in a first computing environment.

FIG. 2 illustrates in more detail the flow of communication through theisolation monitor 116 between the isolation container 102 (also called asandbox environment) and the operating system 108 and external servicessuch as the display and user I/O client 204. The isolated application104, the isolated application libraries 118, the isolated OS subsystems110, and the remote user I/O server 122 can all request services throughthe isolation monitor 116. Services are presented in at least two forms.Services on private virtual memory, threads, private files, and messagesto remote services are presented as system calls by the isolationmonitor 116 and executed through basic computation services 206 withinthe kernel. Other services, such as secured access to the video displayand other user I/O devices including keyboard and mouse, are executed ina display and user I/O client 204 accessed using network protocolstransported through communication pipes connected by the isolationmonitor 116. This is described in greater detail infra.

The isolation monitor 116 defines new OS APIs that include just thebasic computation services, thus separating the basic primitives fromrich application APIs. Then, the code that provides the rich applicationAPIs is copied out of the operating system, from the non-isolated OSsubsystems 112 (of FIG. 1), and into the application process (or sandboxenvironment) to the isolated OS subsystems 110. For example, in aWindows implementation, the entire Win32 subsystem (e.g., Win32 , COM,shell, printing, etc.) is copied into the application sandbox so thateach application runs its own copy of the Win32 subsystem. In a Linux(or Apple™ operating system) implementation, for example, the subsystemcan include X-Windows, display postscript, printing (e.g., common Unixprinting system) and audio (e.g., advanced Linux sound architecture).(Although described in great detail with respect to Windows, asindicated above the disclosed architecture applies to other operatingsystems implementations as well.)

Since the Win32 subsystem now provides services to only a singleapplication, the subsystem need not be protected with security checks orother mechanisms, such as placing it in another operating systemprocess, from the application. Instead, the Win32 subsystem can be runin the same process as the application. The minimal computationinterface required for the sandboxed environment is shown below.

The technique uses a remote user I/O server (e.g., server 122) withinthe application appliance to provide a device driver interface to theWin32 subsystem, but then communicates (through a local communicationchannel) to the user interface services on the host OS via the displayand user I/O client 204. Application compatibility is preserved byreproducing the functionality that Windows provides in the operatingsystem 108 (primarily from the non-isolated OS subsystems 112) ascomponents in the user-mode (as the isolated OS subsystems 110), in theisolated process.

Continuing with the context of a Windows operating system, thesecomponents (the isolated application libraries 118 which provide OS APIcomponents of FIG. 1 and FIG. 2) can include, but are not limited to,the Win OS API module (e.g., which includes kernel132.dll, user32.dll,gdi32.dll ), the “New Technology” NT API module (e.g., ntdll.dll ), RDPdisplay interface (e.g., rdpvdd.dll), and an interface to the isolationmonitor 116 for services and other processes outside the isolatedenvironment. Note that the equivalent services mentioned above are asubset of the services that can be employed in the OS subsystem.

The disclosed architecture utilizes an isolation-optimized interface byproviding at least virtual memory management, file access, threadcreation, pipes, system time, and cryptographically strong random bits.These basic computation services are a sufficient kernel substrate uponwhich to implement higher-level process services as libraries, such as aregistry for configuration management, thread worker factories, and moresophisticated thread synchronization operations. Isolation is enforcedby a combination of virtual memory hardware and a highly restrictedkernel API exposed by the isolation monitor 116. Communication isallowed only through pipes. Pipes may not be configured at runtime;instead, the pipes are declared in the application manifest thatspecifies the requisite files and pipes to other applications or systemservices (such as the desktop display).

The architecture application binary interface (ABI) exports thefollowing abstractions (and each minimizes the OS state stored on behalfof the application, facilitating user-space process migration and futureproofing).

File handles. Memory-mapped files are provided by which applications mapin read-only text and data sections. Processes do not communicatethrough the file system. Following the principle of minimal OS state,the file handles have no cursor; sequential read( ) operations aremanaged by emulation in an isolation application library instead.Conceptually, file mapping can be implemented with a single map systemcall. Since Windows programs first open a file and then map it, filehandles are provided to connect open to map without breaking errorhandling code in applications.

Pipes. Inter-process communication (IPC) and blocking synchronizationare accomplished with ordered, reliable, message-based pipes, equivalentto PF UNIX-domain SOCK DGRAM pipes. When multiple threads attempt toread the same pipe concurrently, each message is delivered to a singlereader. A DkPipeSelect( ) call is provided that returns when data isavailable. This is similar to the Posix (portable OS interface for Unix)convention, in which select and poll return when data is available.Standard Windows pipes have the convention that WaitForMultipleObjects() returns after data has been read, possibly on multiple channels. Thereturn-on-read semantics makes simulating many NT™ (new technology)kernel functions needlessly complicated; therefore, return-on-availablesemantics are provided. Applications specify pipes to other applicationsor to the user interface, in the application manifest.

Threads and processes. ABIs are provided for thread creation and processcreation. Creating a process is more than just creating a thread in anew address space; the kernel also evaluates a new manifest and createsnew pipe and file relationships. As part of process creation, the parentmay request a pipe to the child. To maintain isolation, a process orthread may only terminate itself; there is no ABI to terminate, changethe memory mapping of, or otherwise change the state of a separateprocess or thread.

GUI access. A feature for enabling a narrow isolation boundary is theuse of a minimal pixel-blitting interface. Conventional GUI (graphicaluser interface) APIs such as in Windows and X11 expose a variety ofabstractions, for example, windows, widgets, fonts, menus, events,callbacks, and much more. In contrast, the disclosed architecture movesall of the rendering and event loop functionality into the applicationitself, exposing only simple pixel-blit access to the trusted display,and a one-way flow of low-level keyboard and mouse input messages.

RDP background. The remote user I/O server 122 and the display and userI/O client 204 exchange messages using the remote desktop protocol(RDP), a protocol designed to achieve bandwidth-efficient remote displayaccess. Its application-side component is a video driver and framebuffer that absorbs the output of the rich GUI framework above it. RDPharvests pixmaps (pixel maps) off the frame buffer and transmits thepixmaps to the display component. Mouse click and keystroke events fromthe display component are sent to the application component and injectedinto the GUI framework as if from local devices. RDP encapsulates thecomplexity of the GUI framework on one side of the channel, exposingonly a conceptually simple pixel-blitting interface.

RDP exploits this interface simplicity to insert a variety ofcompression and coding techniques, and even profile-driven adaptivemeta-protocols. This is a simple display-side code base, and a simpleprotocol amenable to sanitization. Essentially, RDP minus compression isa simple blit interface; the work of converting the GUI API to pixels onthe application side and the work of blitting pixels on the display sidehas been done.

The previous application-side implementation of RDP is a kernel-modedisplay driver: it provides a frame buffer target for the output of thelowest layers of the Windows GUI stack, identifies changed pixels, andships buckets of pixels to the display side. The architecture, inrepackaging the kernel-side layers of the Windows GUI stack asin-process application libraries, also links in the application-sidecomponents of RDP in the remote user I/O server 122.

The display-side component, the user I/O client 204, retains the task ofasking the hardware abstracting components 114, such as the display, torender the pixels received from the application-side implementation ofRDP in the remote user I/O server 122. The architecture uses theexisting Windows-based RDP client implementation, stripped down toremove unneeded compression modules to maximize robustness.

A benefit of the blit-based approach, realized by the RDP protocol, isthat it is stateless, isolated, and gracefully handles disconnection.This property is utilized to transparently decouple application logicfrom the user interface, which simplifies the task of process migration.Rather than serializing and migrating complex kernel data structures,these data structures travel in-place in the application's memory image,where the structures were created by the isolated OS subsystems 110.

With respect to refactoring Windows, the architecture moves code out ofthe kernel or re-implements services in user-level libraries. The kernelportion of the Windows subsystem (win32k) is ported from kernel modulesto a user-level dynamically-linked library. A portion of the NT kernelAPI is also re-implemented in a user library on top of the applicationsubsystem kernel API.

Following is background about the Windows OS. In a Windows system, anapplication and its libraries occupy a process along withsystem-supplied user-mode libraries that provide interfaces to the coresystem services (ntdll, similar to the Unix libc) and to the graphicaluser interface (user32 and gdi32, the equivalent of Unix l ibX11 andhigher-level libraries such as libgtk). The NT kernel implements thecore of a monolithic operating system: resource management, scheduling,device drivers, file system, and the registry, a key-value store forconfiguration data. The Windows subsystem (win32k) provides the analogueof an X server, a print server (e.g., the Common Unix Printing System),and audio support (e.g., Advanced Linux Sound Architecture).

There are two system daemons in Windows: csrss and wininit. Csrss (theClient/ServerRuntime SubSystem) is the first user mode process startedduring boot, the analogue of the Unix init daemon. Csrss' systeminitialization duties also include preloading kernel caches with publicdata to be shared among all processes, such as the default fonts,internationalization tables, and cursors. The wininit daemon launchesthe components of the user's desktop upon login, the analogue ofgnome—session. Each new process contacts csrss, which establishes ashared-memory segment between the shared process and win32k used to savekernel-crossings for read-only GUI operations.

The disclosed architecture preserves application compatibility byreproducing the functionality Windows provides in the kernel ascomponents of the user-mode, isolated process. The kernel GUIcomponents, including both the general win32k library and the videodriver implemented by the RDP server, are moved directly into thesubsystem process (the former is part of the isolated OS subsystems 110and the latter is the remote user I/O server 122). The ntdll interfacelibrary is preserved, but rather than calling into the kernel, it nowcalls an NT . shim library, an implementation that simulates the kernelfeatures expected by most applications (part of the isolated OSsubsystems 110).

The isolated process user interface is exposed to the real world via anRDP display client (the user I/O client 204) which accesses the Windowskernel through conventional APIs. In other words, the user I/O client204 is a non-isolated application 106, which uses the non-isolated OSsubsystems 112.

With respect to isolation, a well-isolated process is a usefulmechanism. This is exploited by introducing policies in the form of theapplication firewall. Users specify simple, coarse rules that eitherprotect sensitive data and applications (“allow only these twoapplications to touch this financial data”) or rules that confineuntrusted applications (“disallow this downloaded game from touching anyof my data”). A collection of such rules forms an application firewall.The rules map to approving or denying application manifest requests.

Applications specify requirements for external resources andcommunication pipes with the application manifest. The applicationmanifest specifies which resources are required and which are optional;if an optional pipe is not available, the application loses non-criticalfunctionality. An application's manifest requests a set of IPC pipes.For each pipe, the manifest gives the external name of the pipe, aninternal identifier, and a flag indicating which pipes can toleratedisconnection for migration.

Since all inter-process communication goes through declared pipes, anapplication firewall can impose information flow rules, ruling outparticular pipes, or specifying ALLOW or DENY lists of applications thatmay connect to a given pipe endpoint. The application firewall can beconfigured by the user during application installation.

In one implementation, each application (e.g., isolated application 104)is distributed with all of its requisite files, including supportinglibraries, fonts, and internationalization tables. In an alternativeimplementation, an application's manifest may also specify access to “MyMusic” or “My Documents”, which the user's firewall may approve or deny.

FIG. 3 illustrates future proofing in which the isolated application 104which runs in a first secure application execution system 300 can alsobe run in a second secure application execution system 301. Aspreviously described in FIG. 1, the first secure application executionsystem 300 includes the first operation system 108 with the isolationmonitor 116 (denoted here as a first application monitor). The secondsecure application execution system 301 includes a second operatingsystem 308 with a second isolation monitor 316. The basic computationservices exposed by the second isolation monitor 316 are compatible withthe basic computation services exposed by the first isolation monitor116.

When run on the second operating system 308, the isolated application104 is placed in a different isolation container 302 as is compatibleand provided by the second OS 308, and isolated application 104 uses theexact same application code and the same code for the same isolatedapplication libraries 118, isolated OS subsystems 110, and remote userI/O server 122. Providing compatibility between the first operatingsystem 108 and the second operating system 308 is straightforward withthe disclosed architecture, because the rich APIs that are often largein number and have complex semantics which are captured in the isolatedOS subsystems 110. The isolated application 104 runs with the same richAPIs in the isolated OS subsystems 110 whether it runs on the firstoperating system 108 or the second operating system 308.

Note that the isolation containers (102 and 302) can both be run on thesame computer or each on a different computer. Note also that theoperating systems (108 and 308) can be the same type (e.g., Win XP) ofoperating system each run on a different computer, the same singleoperating system (OS 108 is the same operating system as OS 308) runningon a single computer, different type of operating systems (e.g., Win XPversus Win 7) running on the same computer (e.g., via virtual machines,multi-boot configuration, etc.), and so on.

For example, using the described architecture, a newer Windows operatingsystem (e.g., Windows 7™) can be made to run applications written forthe Windows XP operating systems when those applications are combined inan isolation container with Windows XP isolated OS subsystems, and theWindows 7 operating system runs an isolation monitor that exposes a setof basic computation services compatible with the isolation monitortargeted by the Windows XP isolated OS systems.

Conversely, using the described architecture, the Windows XP operatingsystem can run applications written for the Windows 7 operating systemwhen those applications are combined in an isolation container withWindows 7 isolated OS subsystems and the Windows XP operating systemruns an isolation monitor that exposes a set of basic computationservices compatible with the isolation monitor targeted by the Windows 7isolated OS subsystems.

In yet another implementation, an application (e.g., isolatedapplication 104) that normally runs on a Vendor A operating system (OS108) can be made to run on a Vendor B operating system (OS 308, which isdifferent than the Vendor A operating system) by configuring anisolation monitor (the isolation monitor 316) of the Vendor B operatingsystem to interface to the Vendor B operating system, and also interfaceto the isolated OS subsystem (isolated subsystem 110) that facilitatesrunning of the application on the Vendor B operating system.

In a more specific example of the above generalization using Windows andApple programs (but also applies to any mix of programs and operatingsystems), the isolated application 104 of the secure applicationexecution system 300 (e.g., Windows application running on a Windowoperating system) is now desired to be run in the second secureapplication execution system 301 of an Apple operating system (a Windowsapplication on an Apple operating system).

To make this work, the second isolation monitor 316 is designed tointerface to the Apple OS (the second OS 308) and expose a set of basiccomputation services compatible with the Windows-based isolated OSsubsystem 110 (as used in the first isolation container 102, but nowalso used in the second isolation container 302). Those skilled in theart will recognize that creating a compatible isolation monitor isrelatively straightforward because of the small number and simplesemantics of the basic computation services (e.g., in oneimplementation, the isolation monitor is fewer than 5,000 lines of C++code). This is in contrast with the large number and complex semanticsof the rich APIs in the isolated OS subsystems (e.g., one implementationof the Windows Win32 subsystem is over one million lines of C and C++code).

Put another way, a secure application execution system is provided thatcomprises an isolation container in which an application for a first OSruns in isolation, the isolation container formed in association with asecond OS, an isolated OS subsystem that runs in the isolation containerin association with and interfaces to the application to provide richfunctionality to the application, and an isolation monitor of the secondOS that interfaces basic computation services of the second OS to theisolated OS subsystem to enable the application to run in isolation onthe second OS. The basic computation services include at least one ofvirtual memory management, thread creation, or thread synchronization.The isolated application uses a corresponding remote user I/O server tocommunicate with a user I/O client outside the isolation container.

The rich functionality provided by the isolated OS subsystem includes atleast one of a graphical user interface service, an applicationconfiguration management service, a printer service, or an audioservice. The isolated application uses a corresponding remote user I/Oserver to communicate with a user I/O client outside the isolationcontainer. The isolated application is migrated to a second computingenvironment by reading from some or all of an address space of theisolation container, which is in a first computing environment. Theisolation monitor employs a collection of rules that map from anapplication manifest to approval or denial of resource requests, themanifest defines which resources outside the isolation container areavailable to the isolated application.

FIG. 4 illustrates future proofing system 400 in which the operatingsystem 108 and the isolation monitor 116 can run the first isolatedapplication 104 with the first set of isolated OS subsystems 110 and canrun a second isolated application 404 with a second set of isolated OSsubsystems 410, and both isolated OS subsystems (110 and 410) use basiccomputation services exposed through the same isolation monitor 116. Theset of rich APIs exposed by the first set of isolated OS subsystems 110differs in number or semantics from the second set of isolated OSsubsystems 410. The second isolated application 404 is run in a secondisolation container 402 that includes the second isolated application404, a set of second isolated application libraries 418, the second setof isolated OS subsystems 410, and a second remote user I/O server 422.

If the second set of OS subsystems 410 provides sufficient compatibilitywith the first set of OS subsystems 110, the second remote user I/Oserver 422 may be the same as the first remote user I/O server 122.Likewise, the second isolated application libraries 418 may be the sameas the first isolated application libraries 118. Still further, thesecond isolated application 404 may be the same as the first isolatedapplication 104.

For example, a Windows 7 operating system can be made to runapplications written for the Windows XP, Windows Vista, or Windows 7operating systems when those applications are combined in associatedisolation containers with Windows XP, Windows Vista™, or Windows 7isolated OS subsystems, respectively, and the Windows 7 operating runsan isolation monitor compatible with the isolation monitors targeted bythe Windows XP isolated OS subsystems, the Windows Vista isolated OSsubsystems, or the Windows 7 isolated OS subsystems. Those skilled inthe art will recognize that the modifications made to make a first setof isolated OS subsystems, such as the Windows 7 isolated OS subsystems,run on an isolation monitor can be reused to make a second set ofisolated OS subsystems, such as the Windows XP isolated OS subsystems,run on the same isolation monitor. This is the case because the basiccomputation services provided by an isolation monitor are not tailoredto a specific isolated OS subsystem, but instead provide simplesemantics general to many isolated OS subsystems.

Put another way, a secure application execution system is provided thatcomprises a first isolation container in which a first isolatedapplication runs in isolation, and a second isolation container in whicha second isolated application runs in isolation, the first isolatedapplication and the second isolated application running in associationwith a single OS. The system further includes a first isolated OSsubsystem of the first isolation container that provides services to thefirst isolated application, a second isolated OS subsystem of the secondisolation container that provides services to the second isolatedapplication, and an isolation monitor via which basic computationservices are provided to each of the first isolated OS subsystem and thesecond isolated OS subsystem. The basic computation services includevirtual memory management, threads creation, and thread synchronization.

The rich functionality includes at least one of the isolated OSsubsystems, the isolated OS subsystems comprise at least one of agraphical user interface service, an application configurationmanagement service, a printer service, or an audio service. At least oneof the first isolated application or the second isolated applicationuses a corresponding remote user I/O server to communicate with a userI/O client outside of a corresponding isolation container. The firstisolated application uses a first corresponding remote user I/O serverand the second isolated application uses a second corresponding remoteuser I/O server, and the first corresponding remote user I/O server andthe second corresponding remote user I/O server both communicate with afirst user I/O client outside the isolation containers.

In yet another implementation, a secure application execution system isprovided that comprises an isolated OS subsystem that runs in anisolation container and provides services to an isolated applicationequivalent to services provided by a non-isolated OS subsystem to annon-isolated application. The isolated OS subsystem receives basiccomputation services from an isolation monitor in an OS that providessimilar basic computation services to the non-isolated OS subsystem. Thebasic computation services received include virtual memory management,thread creation, and thread synchronization. The equivalent servicesinclude at least one of GUI services, application configurationmanagement services, printer services, or audio services.

With respect to process migration, the disclosed architecture uses apipe disconnect able flag in the manifest to assess whether a processcan be migrated. If every pipe from a process is either disconnectable,or the process on the other end can migrate along with the process, thenthe process may be migrated. By bundling the state and complexity of theGUI into the process itself, a large class of dependencies on the kernelthat typically could make migration difficult, are eliminated andreplaced with RDP's reconnectable protocol. Disruption by reconnectionsis tolerated, since many pipes will be to Internet services.

A challenge is plumbing isolated processes to the reference monitor,adapting the NT APIs, repackaging the win32k GUI library, replacing theregistry, repackaging COM, and organizing the implementation tofacilitate easy migration.

The architecture basic computation API is implemented inside of theisolation monitor 116 (called Dkmon in one implementation).

When Dkmon starts a new process, it creates a suspended Windows process,specifying the dkinit application loader as the binary. The Windowskernel then creates an address space, maps in dkinit and the system-widentdll library, and suspends execution at ntdll's entry point. ntdll isthe analog of the Unix/lib/ld. so, but in Windows, the kernel installs aparticular version of ntdll at the same virtual address in everyprocess, and makes upcalls to functions at fixed offsets into thelibrary. ntdll is modified to make calls. To that end, Dkmon mapsDkNtdll into the new process' virtual memory, then patches thesystem-provided ntdll, overwriting its functions with jumps to DkNtdll;the system library is eviscerated to a jump table.

Dkmon writes a parameter block into the process, communicatinginitialization parameters such as the paths of the manifest andcheckpoint file.

Dkmon resumes the suspended process, causing DkNtdll to set up initiallibrary linkage, including the win32k library, and transfer control todkinit. Dkinit invokes the loader (DkNtdll) dynamically to load theapplication and its imported libraries, and jumps to the application'sentry point.

To avoid Time-Of-Check-To-Time-Of-Use concurrency vulnerabilities, Dkmoncopies in system call arguments exactly once. By reducing the sharedapplication state in the kernel, as well as enforcing coarse isolationpolicies, exposure to state inconsistency is minimized.

In order to provide binary compatibility with existing desktopapplications, user space implementations of many NT kernel functions areprovided in the isolated OS subsystems 110. In some cases, such asallocating virtual memory or opening a file, the NT function is a thinlayer that calls the isolation monitor 116. In other cases, such as thesynchronization mechanisms, the implementation can be more involved.

The NT kernel API exposes several blocking synchronization primitiveswith varying semantics, including events, mutants (mutexes), andsemaphores. Basic features of these synchronization primitives can beimplemented with non-blocking locks and user-level data structures.Functionally, synchronization in the user space using blocking semanticsis facilitated by providing a wait queue inside the kernel when the userspace lock is contended. The signaling mechanism is a pipe. When aprocess blocks on a synchronization handle, such as a mutant, theprocess blocks waiting for data to become available in a pipe associatedwith the event. When a process releases a mutant, the process writes abyte to the pipe and a blocked process is awakened and reads the byte.Only one process will read the byte, so only one process will acquirethe mutant.

Several applications wait on one or more timer handles. Dkmon suppliesonly DkSystemTimeQuery and the ability to block on time via a timeoutargument to DkPipeSelect. The application shim library usesDkSystemTimeQuery to normalize relative timeouts to absolute timeouts.The shim provides timer multiplexing by DkPipeSelecting on the earliesttimeout among the application-specified handles.

A challenge in porting win32k from a kernel library to a user space DLL(dynamic linked library) is to reproduce its complicated, multi-processinitialization sequence. First, the single, system-wide instance of thewin32k module is initialized in kernel space. Second, a csrss-spawneduser space process preloads win32k's caches with shared public objectssuch as fonts and bitmaps. To fetch an object into its cache, win32kmakes upcalls to user32 and gdi32 DLLs, so the user-space process firstloads those dlls before filling the cache. Third, when an ordinary userprocess starts, the process loads its own copies of user32 and gdi32,which connect to win32k and provide GUI service.

The architecture bootstrap first loads and initializes its copy ofwin32k, then loads user and gdi32 without calling the respectiveinitializers, and then fills the win32k caches. Now win32k is completelyinitialized, so the bootstrap calls user32's and gdi32's real libraryinitialization functions. Each DLL has been loaded by the standardloader, so at this point, the bootstrap can request the loader to loadthe user program, and the program's dependencies on user and gdi32 willbe satisfied with the extant instances now bound to win32k.

The read-only shared-memory segment established by csrss is nowestablished as a shared heap, since the two components that access it,win and user 32, share a protection domain. Synchronization code andshim code is provided to get win32k running in the user space.

Windows' kernel object manager manages a hierarchical namespace, mappingpaths to drivers that implement the named objects (analogous to thevnodes that tie files, devices, and/proc together in Unix). The Windowsregistry is an object manager instance that provides a hierarchicalkey-value store. The disclosed architecture refactors the OSrelationship to make applications self-contained. Thus, the NT shimsupplies a registry implementation with no transactions and coarselocking. Each application has a private registry image generated byrunning the application in Windows. The instrumentation records the setof opened keys, snapshots the values in the Windows registry, and emitsa registry image.

Refactoring the COM (component object model) subsystem follows the samebasic pattern: application-side libraries expect to communicate with aseparate server process. An instance of the server code is linked asisolated OS subsystems 110 library inside the process, and a thread iscreated to run it. The application-side library is linked directly tothe server, cutting out the RPC (remote procedure call) stubs.

Migration can be implemented entirely in user space by tracking thelayout of the address space, threads, and handles in user space. Tocheckpoint an application, the contents of the address space (includingthis bookkeeping) are written to a file. In order to initiate acheckpoint, the reference monitor writes a bit into the loader block.Each thread checks this bit before issuing a system call andperiodically while waiting on input from a pipe. Each thread thencheckpoints its register state and terminates without deleting itsstack. The last thread to exit actually performs the copy of the addressspace into the file.

In order to resume from a checkpoint, the application performs basicloader initialization steps, then loads the checkpoint file. Theresuming application then restores all anonymous (non-file backed)memory, followed by the private handles, and finally restores filemappings. Externally visible handles are loaded by the manifest asusual. The application then recreates the threads, forming threadexecution blocks (TEB) to ensure thread identifiers match those in thecheckpointed image. By moving process abstractions into the processitself, the architecture makes the migration task straightforward.

Again, with respect to inter-process communications, the applicationmanifest specifies whether a channel can be broken; processes withunbreakable connections are migrated together. The disclosedarchitecture makes connections to hardware resources, such as the windowmanager, stateless and thereby supports disconnection and reconnectionwithout loss of function, and allows independent migration ofapplication logic and the graphical user interface.

In addition to migrating a process' address space and IPC connections,state stored inside the operating system is also migrated. The disclosedarchitecture migrates processes across disjoint operating systems withmatching ABIs. This is made possible by making all inter-processcommunication channels explicit and minimizing OS state that needs to betracked and restored, thereby enabling the migration of processesentirely at user-level.

A minimal exemplary computation interface utilized for the sandboxedenvironment is described as follows.

// Virtual Memory DKSTATUS DkVirtualMemoryAllocate(    inout PVOID*BaseAddress,    inout PSIZE_T RegionSize,    in ULONG AllocationType,   in ULONG Protect); DKSTATUS DkVirtualMemoryFree(    in PVOIDBaseAddress,    in SIZE_T RegionSize,    in ULONG FreeType); DKSTATUSDkVirtualMemoryProtect(    inout PVOID BaseAddress,    inout SIZE_TRegionSize,    in ULONG NewProtect,    out PULONG OldProtect); // IPCBOOL DkPipeFork(    in HANDLE Handle,    out PULONG64 Token,    outPHANDLE NewHandle); BOOL DkSelfPipeCreate(    out PHANDLE Handle1,   out PHANDLE Handle2,    out PULONG64 Token); ULONG DkPipeRead(    inHANDLE Handle,    in BOOL Async,    in PVOID AsyncToken,    inout PVOID*Buffer,    in ULONG Length,    in_opt PLONG64 Timeout); ULONGDkPipeWrite(    in HANDLE Handle,    in BOOL Async,    in PVOIDAsyncToken,    in PVOID Buffer,    in ULONG Length); ULONG DkPipeSelect(   in ULONG Count,    in const HANDLE *Handles,    in_opt PLONG64Timeout); ULONG DkPipePeek(    in HANDLE Handle); // Isolated FileAccess PVOID DkFileOpen(    in PUNICODE_STRING pUri,    in_opt PVOIDDesiredAddress,    in ACCESS_MASK DesiredAccess,    in ULONG ShareMode,   in ULONG CreateDisposition,    in ULONG CreateOptions,    in SIZE_TOffset,    inout_opt PSIZE_T ViewSize); BOOL DkFileTruncate(    inPUNICODE_STRING Uri,    in SIZE_T Length); DKSTATUS DkFileUnmap(    inPVOID addr); BOOL DkFileSync(    in PVOID addr); BOOL DkFileUnlink(   in PUNICODE_STRING Uri); DKSTATUS DkFileAttributesQuery(    inPUNICODE_STRING Uri,    out PDK_FILE_ATTRIBUTES Attrs); // ThreadingBOOL DkThreadCreate(    in SIZE_T StackSize,    in PDK_THREAD_STARTAddress,    in_opt PVOID Parameter,    in ULONG CreationFlags,   out_opt PHANDLE Pipe,    out_opt PULONG64 PipeToken); VOIDDkThreadExit( ); BOOL DkProcessCreate(    in_opt PUNICODE_STRING Appl,   in_opt PUNICODE_STRING CmdLin,    out_opt PHANDLE Pipe,    out_optPULONG64 PipeToken); VOID DkProcessExit( ); // Other BOOLDkSystemTimeQuery(    out PLONG64 SystemTime); BOOL DkRandomBitsRead(   in out PVOID Buf,    in SIZE_T BufSize); BOOL DkDebugOutput(   inPUNICODE_STRING Message);

Included herein is a set of flow charts representative of exemplarymethodologies for performing novel aspects of the disclosedarchitecture. While, for purposes of simplicity of explanation, the oneor more methodologies shown herein, for example, in the form of a flowchart or flow diagram, are shown and described as a series of acts, itis to be understood and appreciated that the methodologies are notlimited by the order of acts, as some acts may, in accordance therewith,occur in a different order and/or concurrently with other acts from thatshown and described herein. For example, those skilled in the art willunderstand and appreciate that a methodology could alternatively berepresented as a series of interrelated states or events, such as in astate diagram. Moreover, not all acts illustrated in a methodology maybe required for a novel implementation.

FIG. 5 illustrates a method of creating secure application execution inaccordance with the disclosed architecture. At 500, in an operatingsystem kernel, identify rich (non-minimal) functionality from minimalrequisite functionality (the basic computation services 206) associatedwith running an application. The minimal requisite functionality isidentified and exposed to the applications through the isolationmonitor. At 502, the rich functionality is moved from the kernel intouser-space libraries (e.g., in the isolated OS subsystems). At 504,communications between the rich functionality and the kernel isimplemented via an isolation monitor. At 506, the rich functionality isisolated from the kernel using an application firewall of rules thatcontrol interaction between the functionality and the kernel (and othercomponents such as the user I/O client).

FIG. 6 illustrates further aspects of the method of FIG. 5 forconverting additional non-isolated OS subsystems either into isolated OSsubsystems or into external network service, such as the user I/Oclient. Note that the arrowing indicates that each block represents astep that can be included, separately or in combination with otherblocks, as additional aspects of the method represented by the flowchart of FIG. 5. At 600, the rich functionality is run in an applicationprocess of the application or external to the application process. At602, a network interface is provided between the application and thefunctionality for communicating with host operating system services viaa server. At 604, optional external resources, requisite externalresources, and communications pipes, to other applications and systemservices, are specified in an application manifest. At 606, an interfaceto host operating system services is via a kernel interface implementedinside the isolation monitor. At 608, rich functionality services aremoved from the operating system kernel into an isolated OS subsystem,which services include windowing, access control, and user interfaces.

FIG. 7 illustrates a method of factoring operating system code intocomponents to be used in an application appliance environment. At 700, asystem component that exists outside the application process and whichprovides a required service for the application process is identified.At 702, a check is made if the resources managed by the component needto be shared. If so, flow is to 704 where a network protocol is chosento be used to access the shared resource. Flow is then to 706, where theapplication appliance is augmented with code that implements the networkprotocol. At 708, the system component is then accessed as a networkservice.

If, at 702, the resources exposed by the system component do not need tobe shared with other applications, then, flow is to 710, where the codeis copied into the application appliance. For example, the physicalkeyboard, mouse, and video display are shared devices; thus, in oneembodiment, the remote desktop protocol (RDP) can be employed to accessthe shared display at 704 and add RDP server support to the remote userI/O server in step 706 before modifying the Win32k part of the isolatedOS subsystems to use the RDP server code introduced in step 704.

At 712, as the component is copied into the application appliance, anycode that requests security authentication can be removed, disabled, ormodified to grant access. At 714, as the component is copied into theapplication appliance, any code that provides enforcement of securityisolation policies can be removed or disabled. The code can be removedor disabled (or modified to grant access), because the code is nowinside the application appliance, and therefore, will not protect anyother services from an errant or malicious application appliance.

As used in this application, the terms “component” and “system” areintended to refer to a computer-related entity, either hardware, acombination of software and tangible hardware, software, or software inexecution. For example, a component can be, but is not limited to,tangible components such as a processor, chip memory, mass storagedevices (e.g., optical drives, solid state drives, and/or magneticstorage media drives), and computers, and software components such as aprocess running on a processor, an object, an executable, a module, athread of execution, and/or a program. By way of illustration, both anapplication running on a server and the server can be a component. Oneor more components can reside within a process and/or thread ofexecution, and a component can be localized on one computer and/ordistributed between two or more computers. The word “exemplary” may beused herein to mean serving as an example, instance, or illustration.Any aspect or design described herein as “exemplary” is not necessarilyto be construed as preferred or advantageous over other aspects ordesigns.

Referring now to FIG. 8, there is illustrated a block diagram of acomputing system 800 that executes application sandboxing in accordancewith the disclosed architecture. In order to provide additional contextfor various aspects thereof, FIG. 8 and the following description areintended to provide a brief, general description of the suitablecomputing system 800 in which the various aspects can be implemented.While the description above is in the general context ofcomputer-executable instructions that can run on one or more computers,those skilled in the art will recognize that a novel embodiment also canbe implemented in combination with other program modules and/or as acombination of hardware and software.

The computing system 800 for implementing various aspects includes thecomputer 802 having processing unit(s) 804, a computer-readable storagesuch as a system memory 806, and a system bus 808. The processingunit(s) 804 can be any of various commercially available processors suchas single-processor, multi-processor, single-core units and multi-coreunits. Moreover, those skilled in the art will appreciate that the novelmethods can be practiced with other computer system configurations,including minicomputers, mainframe computers, as well as personalcomputers (e.g., desktop, laptop, etc.), hand-held computing devices,microprocessor-based or programmable consumer electronics, and the like,each of which can be operatively coupled to one or more associateddevices.

The system memory 806 can include computer-readable storage (physicalstorage media) such as a volatile (VOL) memory 810 (e.g., random accessmemory (RAM)) and non-volatile memory (NON-VOL) 812 (e.g., ROM, EPROM,EEPROM, etc.). A basic input/output system (BIOS) can be stored in thenon-volatile memory 812, and includes the basic routines that facilitatethe communication of data and signals between components within thecomputer 802, such as during startup. The volatile memory 810 can alsoinclude a high-speed RAM such as static RAM for caching data.

The system bus 808 provides an interface for system componentsincluding, but not limited to, the system memory 806 to the processingunit(s) 804. The system bus 808 can be any of several types of busstructure that can further interconnect to a memory bus (with or withouta memory controller), and a peripheral bus (e.g., PCI, PCIe, AGP, LPC,etc.), using any of a variety of commercially available busarchitectures.

The computer 802 further includes machine readable storage subsystem(s)814 and storage interface(s) 816 for interfacing the storagesubsystem(s) 814 to the system bus 808 and other desired computercomponents. The storage subsystem(s) 814 (physical storage media) caninclude one or more of a hard disk drive (HDD), a magnetic floppy diskdrive (FDD), and/or optical disk storage drive (e.g., a CD-ROM drive DVDdrive), for example. The storage interface(s) 816 can include interfacetechnologies such as EIDE, ATA, SATA, and IEEE 1394, for example.

One or more programs and data can be stored in the memory subsystem 806,a machine readable and removable memory subsystem 818 (e.g., flash driveform factor technology), and/or the storage subsystem(s) 814 (e.g.,optical, magnetic, solid state), including an operating system 820(e.g., OS 108 and OS 308), one or more application programs 822 (e.g.,isolated application 104, non-isolated application 106, and isolatedapplication 404), other program modules 824 (e.g., isolated applicationlibraries 118 and non-isolated application libraries 120), and programdata 826.

The one or more application programs 822, other program modules 824, andprogram data 826 can include the entities and components of the system100 of FIG. 1, entities and components of the system 200 of FIG. 2, theentities and components of FIG. 3, the entities and components of thesystem 400 of FIG. 4, and the methods represented by the flowcharts ofFIGS. 5-7, for example.

Generally, programs include routines, methods, data structures, othersoftware components, etc., that perform particular tasks or implementparticular abstract data types. All or portions of the operating system820, applications 822, modules 824, and/or data 826 can also be cachedin memory such as the volatile memory 810, for example. It is to beappreciated that the disclosed architecture can be implemented withvarious commercially available operating systems or combinations ofoperating systems (e.g., as virtual machines).

The storage subsystem(s) 814 and memory subsystems (806 and 818) serveas computer readable media for volatile and non-volatile storage ofdata, data structures, computer-executable instructions, and so forth.Such instructions, when executed by a computer or other machine, cancause the computer or other machine to perform one or more acts of amethod. The instructions to perform the acts can be stored on onemedium, or could be stored across multiple media, so that theinstructions appear collectively on the one or more computer-readablestorage media, regardless of whether all of the instructions are on thesame media.

Computer readable media can be any available media that can be accessedby the computer 802 and includes volatile and non-volatile internaland/or external media that is removable or non-removable. For thecomputer 802, the media accommodate the storage of data in any suitabledigital format. It should be appreciated by those skilled in the artthat other types of computer readable media can be employed such as zipdrives, magnetic tape, flash memory cards, flash drives, cartridges, andthe like, for storing computer executable instructions for performingthe novel methods of the disclosed architecture.

A user can interact with the computer 802, programs, and data usingexternal user input devices 828 such as a keyboard and a mouse. Otherexternal user input devices 828 can include a microphone, an IR(infrared) remote control, a joystick, a game pad, camera recognitionsystems, a stylus pen, touch screen, gesture systems (e.g., eyemovement, head movement, etc.), and/or the like. The user can interactwith the computer 802, programs, and data using onboard user inputdevices 830 such a touchpad, microphone, keyboard, etc., where thecomputer 802 is a portable computer, for example. These and other inputdevices are connected to the processing unit(s) 804 through input/output(I/O) device interface(s) 832 via the system bus 808, but can beconnected by other interfaces such as a parallel port, IEEE 1394 serialport, a game port, a USB port, an IR interface, etc. The I/O deviceinterface(s) 832 also facilitate the use of output peripherals 834 suchas printers, audio devices, camera devices, and so on, such as a soundcard and/or onboard audio processing capability.

One or more graphics interface(s) 836 (also commonly referred to as agraphics processing unit (GPU)) provide graphics and video signalsbetween the computer 802 and external display(s) 838 (e.g., LCD, plasma)and/or onboard displays 840 (e.g., for portable computer). The graphicsinterface(s) 836 can also be manufactured as part of the computer systemboard.

The computer 802 can operate in a networked environment (e.g., IP-based)using logical connections via a wired/wireless communications subsystem842 to one or more networks and/or other computers. The other computerscan include workstations, servers, routers, personal computers,microprocessor-based entertainment appliances, peer devices or othercommon network nodes, and typically include many or all of the elementsdescribed relative to the computer 802. The logical connections caninclude wired/wireless connectivity to a local area network

(LAN), a wide area network (WAN), hotspot, and so on. LAN and WANnetworking environments are commonplace in offices and companies andfacilitate enterprise-wide computer networks, such as intranets, all ofwhich may connect to a global communications network such as theInternet.

When used in a networking environment the computer 802 connects to thenetwork via a wired/wireless communication subsystem 842 (e.g., anetwork interface adapter, onboard transceiver subsystem, etc.) tocommunicate with wired/wireless networks, wired/wireless printers,wired/wireless input devices 844, and so on. The computer 802 caninclude a modem or other means for establishing communications over thenetwork. In a networked environment, programs and data relative to thecomputer 802 can be stored in the remote memory/storage device, as isassociated with a distributed system. It will be appreciated that thenetwork connections shown are exemplary and other means of establishinga communications link between the computers can be used.

The computer 802 is operable to communicate with wired/wireless devicesor entities using the radio technologies such as the IEEE 802.xx familyof standards, such as wireless devices operatively disposed in wirelesscommunication (e.g., IEEE 802.11 over-the-air modulation techniques)with, for example, a printer, scanner, desktop and/or portable computer,personal digital assistant (PDA), communications satellite, any piece ofequipment or location associated with a wirelessly detectable tag (e.g.,a kiosk, news stand, restroom), and telephone. This includes at leastWi-Fi (or Wireless Fidelity) for hotspots, WiMax, and Bluetooth™wireless technologies. Thus, the communications can be a predefinedstructure as with a conventional network or simply an ad hoccommunication between at least two devices. Wi-Fi networks use radiotechnologies called IEEE 802.11x (a, b, g, etc.) to provide secure,reliable, fast wireless connectivity. A Wi-Fi network can be used toconnect computers to each other, to the Internet, and to wire networks(which use IEEE 802.3-related media and functions).

What has been described above includes examples of the disclosedarchitecture. It is, of course, not possible to describe everyconceivable combination of components and/or methodologies, but one ofordinary skill in the art may recognize that many further combinationsand permutations are possible. Accordingly, the novel architecture isintended to embrace all such alterations, modifications and variationsthat fall within the spirit and scope of the appended claims.Furthermore, to the extent that the term “includes” is used in eitherthe detailed description or the claims, such term is intended to beinclusive in a manner similar to the term “comprising” as “comprising”is interpreted when employed as a transitional word in a claim.

1-9. (canceled)
 10. A computer-implemented secure application executionsystem having computer readable media that store executable instructionsexecuted by a processor, comprising: an isolation container in which anapplication for a first OS runs in isolation, the isolation containerformed in association with a second OS; an isolated OS subsystem thatruns in the isolation container in association with and interfaces tothe application to provide rich functionality to the application; and anisolation monitor of the second OS that interfaces basic computationservices of the second OS to the isolated OS subsystem to enable theapplication to run in isolation on the second OS.
 11. The system ofclaim 10, wherein the basic computation services include at least one ofvirtual memory management, thread creation, or thread synchronization.12. The system of claim 10, wherein the rich functionality provided bythe isolated OS subsystem includes at least one of a graphical userinterface (GUI) service, an application configuration managementservice, a printer service, or an audio service.
 13. The system of claim10, wherein the isolated application uses a corresponding remote userI/O server to communicate with a user I/O client outside the isolationcontainer.
 14. The system of claim 10, wherein the isolated applicationis migrated to a second computing environment by reading from some orall of an address space of the isolation container, which is in a firstcomputing environment.
 15. The system of claim 10, wherein the isolationmonitor employs a collection of rules that map from an applicationmanifest to approval or denial of resource requests, the manifestdefines which resources outside the isolation container are available tothe isolated application. 16-20. (canceled)
 21. A system comprising: oneor more computer readable media storing executable instructions; and oneor more processing units configured to execute the executableinstructions, wherein the executable instructions cause the one or moreprocessing units to: execute an isolated application in an isolationcontainer on the system; provide first operating system (OS) services tothe isolated application using an isolated OS subsystem of the isolationcontainer, wherein the isolated OS subsystem provides the first OSservices via interfaces associated with a first OS; and provide secondOS services to the isolation container using a second OS other than thefirst OS.
 22. The system of claim 21, wherein the second OS servicescomprise basic computation services.
 23. The system of claim 22, whereinthe basic computation services comprise virtual memory management,thread creation, and thread synchronization.
 24. The system of claim 23,wherein the first OS services comprise rich functionality.
 25. Thesystem of claim 24, wherein the rich functionality comprises graphicaluser interface services, application configuration management services,printer services, and audio services.
 26. The system of claim 25,wherein the first OS and the second OS are provided by differentvendors.
 27. The system of claim 25, wherein the first OS and the secondOS are different OS versions provided by a single vendor.
 28. A methodperformed on a computer system, the method comprising: causing anisolated application to execute in an isolation container, the isolationcontainer comprising an application process; executing an isolatedoperating system (OS) subsystem in the application process with theisolated application, wherein the isolated OS subsystem provides firstOS services associated with a first OS to the isolated application; andproviding second OS services to the isolated OS subsystem using a secondOS other than the first OS.
 29. The method of claim 28, furthercomprising: migrating the application process to another computingsystem.
 30. The method of claim 28, further comprising: providing thesecond OS services in another process that is separate from theapplication process.
 31. The method of claim 30, wherein the first OSservices provided in the application process include graphical userinterface services.
 32. The method of claim 29, wherein the second OSservices provided in the another process include virtual memorymanagement services.
 33. The method of claim 32, wherein the first OSservices provided in the application process include graphical userinterface services and the second OS services provided in the anotherprocess include thread creation or thread synchronization services. 34.The method of claim 28, wherein the computer system is a mobile phone.